verify hg.mozilla.org with bundled CA root

Before this, make-ca does not verify the certificate of hg.mozilla.org at all. It makes sense as make-ca often runs on systems without trust anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack the trust anchor of a BLFS system. To improve the situation, we ship the certificate of the CA root for hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use it to verify hg.mozilla.org.
2022-01-31 18:52:21 +08:00
parent 3093851fdd
commit d3562bc2f0
4 changed files with 40 additions and 3 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
+1.11     - Ship certificate of the CA root of hg.mozilla.org and use it for
+           verification
 1.10     - Use --filter=ca-anchors for all stores
         - Update CS.txt (no changes since last update)
         - Fix installation of systemd timers on non-systemd systems